From 89a9d4b9d60e808f3700c719f27caf3b5dc83334 Mon Sep 17 00:00:00 2001 From: Lorenz Stechauner Date: Thu, 10 Nov 2022 20:21:25 +0100 Subject: [PATCH] Fix chunked splicing --- src/lib/fastcgi.c | 19 +++++++++++++++++-- src/lib/sock.c | 19 +++++++++++++++++-- 2 files changed, 34 insertions(+), 4 deletions(-) diff --git a/src/lib/fastcgi.c b/src/lib/fastcgi.c index e5a8dba..1c02e01 100644 --- a/src/lib/fastcgi.c +++ b/src/lib/fastcgi.c @@ -628,9 +628,24 @@ int fastcgi_receive_chunked(fastcgi_conn *conn, sock *client) { while (1) { ret = sock_recv(client, tmp, sizeof(tmp), MSG_PEEK); if (ret < 0) return -2; + else if (ret < 2) continue; + + int len = 0; + for (int i = 0; i < ret; i++) { + char ch = tmp[i]; + if (ch == '\r') { + continue; + } else if (ch == '\n') { + len = i + 1; + break; + } else if (!((ch >= '0' && ch <= '9') || (ch >= 'a' && ch <= 'f') || (ch >= 'A' && ch <= 'F'))) { + return -2; + } + } + if (len == 0) continue; + next_len = strtol(tmp, NULL, 16); - char *ptr = strstr(tmp, "\r\n"); - ret = sock_recv(client, tmp, ptr - tmp + 2, 0); + ret = sock_recv(client, tmp, len, 0); if (ret < 0) return -2; if (next_len <= 0) break; diff --git a/src/lib/sock.c b/src/lib/sock.c index e164680..af12e24 100644 --- a/src/lib/sock.c +++ b/src/lib/sock.c @@ -112,9 +112,24 @@ long sock_splice_chunked(sock *dst, sock *src, void *buf, unsigned long buf_len) while (1) { ret = sock_recv(src, tmp, sizeof(tmp), MSG_PEEK); if (ret < 0) return -2; + else if (ret < 2) continue; + + int len = 0; + for (int i = 0; i < ret; i++) { + char ch = tmp[i]; + if (ch == '\r') { + continue; + } else if (ch == '\n') { + len = i + 1; + break; + } else if (!((ch >= '0' && ch <= '9') || (ch >= 'a' && ch <= 'f') || (ch >= 'A' && ch <= 'F'))) { + return -2; + } + } + if (len == 0) continue; + next_len = strtol(tmp, NULL, 16); - char *ptr = strstr(tmp, "\r\n"); - ret = sock_recv(src, tmp, ptr - tmp + 2, 0); + ret = sock_recv(src, tmp, len, 0); if (ret < 0) return -2; if (next_len <= 0) break;